Joel Simon was scanning for news of journalists under fire when he was drawn to a suspicious email by an odd misspelling of a colleague’s name.
Simon is the executive director of the Committee to Protect Journalists, which reveals abuses against the Fourth Estate.
It came from “Rony Kevin”, a name similar to Rony Koven, who works for the World Press Freedom Committee, a CPJ partner. The subject line read: ‘Fw: Journalists arrested in Gambia’ and had a message body cut and pasted from press freedom group, Article 19.
CPJ internet advocacy coordinator Danny O’Brien says it had a password-protected zip attachment but CPJ employees are “extremely cautious about opening strange attachments”.
Inside were photos of Gambian journalists and a Windows executable disguised as a photo that would have run silently. Comments in the unpacking utility were in Chinese and the payload communicated with an Indonesian server.
O’Brien doesn’t know if repressive regimes were responsible, although “there aren’t many other reasons to target press-freedom groups, unless you are able to sell control of their computers to a third party who cares to disrupt or monitor their activities”.
“You might not need to speak Chinese to use a piece of software with Chinese comments, so I don’t think you can draw many conclusions from that,” he says. “Neither can you draw much from the use of an Indonesian command-and-control centre.”
The password-protected file – reasonable in such an email – could bypass anti-malware scanners, although the Windows executable would trigger alarms. And the effort to understand the target’s relationships point to “spearphishing”, a targeted attack; “the personalised password (“CPJ”) also helps make the email seem more genuine”, O’Brien says.
Such events point to the need to run attachments in a sandbox at the time of access, says Benjamin Teh, Asia general manager at security vendor Lastline, which has the Anubis service to scan Windows binaries and URLs for malware in a sandbox; its Andrubis does the same for mobile Android devices.
The CPJ attack has similarities to that against security vendor RSA when an intruder leveraged a peer relationship with a trusted partner. Such “social engineering” attacks are at plague proportions and often “chained” to other exploits, leading the victim down a rabbit hole from which it’s difficult to extricate themselves.
In 46 percent of cases, according to Verizon, attackers start with a phone call or email (17 percent) or physically trespass on the victim’s premises (37 percent). And while much of the security community’s emphasis in the past three years was on insiders – Verizon this year found they were implicated in 4 percent of attacks – 96 percent were external attackers.
And it found “higher frequencies of web and email infection(s) and lower frequencies of malware installed by attackers” in big organisations while drive-by downloads of infected websites were more common against SMEs. “Break the chain of events and you stop the incident from proceeding,” Verizon advises in its latest threat report.
Sydney security researcher, Securus Global, does such social-engineering audits for Australian enterprises and governments.
“If you chain vulnerabilities together, you can go really far,” a Securus Global researcher who requested anonymity told a closed-door gathering. “A vulnerability can seem small and of little overall risk but finding many of them chained allows for greater access into a company. Many companies address vulnerabilities as if they’re one-offs,” - and don’t consider the implications of such a holistic view.
And once there’s a chink in the enterprise armour, the first thing an attacker does is metastasise the breach, often relying on the target’s reliance on automated systems and incomplete risk profiles.
Referring to the global takedown of Sony’s PSN servers, which took the entertainment service off the air for a month and compromised 77 million accounts, the researcher said tools were “10 years behind where they need to be” and can’t encapsulate a penetration tester’s knowledge.
For instance, while under the watchful gaze of an FBI agent, Securus Global social engineer “Wayne” won his way to the top of a “capture the flag” competition at hacker gathering Defcon, gathering every bit of information from a global beverage giant. He leveraged an appeal to authority to coerce the helpful contact centre employee who had just completed security induction.
Securus Global managing director Drazen Drazic says, “we had enough information to do whatever we liked combined with a traditional IT attack”, if the intent was malicious. “All other companies gave away varying degrees of confidential information.”
Verizon found that regular workers were targets in 43 percent of cases while front-line staff (tellers, cashiers, waiters) were implicated in a third of intrusions. More worryingly, unwitting senior executives, HR, IT and finance staff – people who ought to know better – aided more than a fifth of intrusions.
1. Email, instant messaging are your customers’ worst enemies
The spearphishing attack on RSA – a Flash object embedded in an Excel file – targeted its SecurID tokens, eventually compromising major US defence contractors and causing the security vendor to lose face. The emails sent to RSA workers, titled “2011 recruitment plan”, were caught by spam folders but a worker fished out the dodgy email.
“The email that came in to RSA was from an organisation that we dealt with,” says RSA adviser Ian Farquhar. “People are the perimeter and people are really hard to upgrade. Someone received the email and opened it unwisely and that allowed the bad guys on to our network. That’s what happens in most cases, that’s the advanced persistent threat.”
RSA was reasonably lucky. It had NetWitness (which parent company EMC subsequently bought) to identify the threat, but not before the attacker wormed its way up the vendor’s information food chain.
Security researchers say most persistent threats are not advanced, although they tend to be diverse against big organisations. Securus Global says an average length of time for an intrusion – its “persistence” – is six months to a year, and the attacker is hammering away daily. Verizon notes 92 percent of intrusions are revealed by outside parties – something for savvy resellers to consider
Once an attacker gains access, they may install command shells (such as ksh or c99) and elevate their privileges – as happened with RSA – to access more resources and build a life raft in the event of exposure.
Trend Micro antispam senior architect Jon Oliver says the Blackhole toolkit is the most favoured by hackers: “It’s the best on market in terms of exploits. As soon as you click on it, you are exploited,” Oliver says.
Staff must be on their guard when dealing with the outside world especially on untrusted connections. That includes talking to overly friendly strangers.
A Securus Global researcher says instant messaging “presents a far greater threat” than email: “It’s the ability of an attacker to directly communicate with a victim”. And organisations should invest in virtual private networks, email encryption and signing to reduce the incidence and severity of such attacks.
Read on for how size doesn't matter but physical security does, where the bad guys live and how to be wary of the company you keep.
2. Every business is at risk (but not equally and not all the time)
You may have customers who feel they are small fry, so spend little on security, or big ones lulled into false confidence by the amount of money and time they do spend. The fact of the matter, however, is that every business is at risk, although the spectre is different for each.
Larger organisations tend to face more varied threats while SMEs face attacks on point-of-sale devices and maybe the insertion points into bigger partners. Few retailers – especially in hospitality, the most afflicted sector – have PoS anti-tampering processes. And manufacturing and information services are most at risk when it comes to number of records stolen.
Larger organisations are more likely to be targets of social attacks, possibly because they have better perimeters and also are easier to recce using tools such as LinkedIn. In those organisations, 58 percent of attacks involve hacking, resulting in 99 percent of records lost; malware comes in second, according to Verizon. And keyloggers were present in nearly half of cases, irrespective of company size.
But SMEs are six-times more likely to be breached by using default or simple credentials. Securus Global’s Drazic says the scale of big companies insulates them from the consequences, but a “startup that is compromised may lose support, financing and consumer confidence” that could cruel their growth or end them in the crib.
Verizon investigator Mark Goudie says on an audit in which he was recently involved, an Australian business found its vendor was using the same password – the vendor’s company name – for its customers worldwide. It would take just one of them to be breached for all to be laid bare, he says.
Hacktivists such as Lulzsec, Anonymous and 4chan also were responsible for the greatest number of records purloined last year, often against high-profile targets such as security providers (HB Garry), government and law enforcement. Goudie says if you don’t need data, delete it, securely, even if that puts you on a collision course with the organisation’s “big data” forces.
SMEs may also find themselves swept up in a hacking driftnet as attackers scan IP ranges or execute application vulnerabilities, especially those known as “zero-day”, for which defences are lowest.
3. Physical security matters
It could be easier and cheaper to physically break into your customer’s organisation than through a computer system either to exfiltrate data or to plant malware.
“Social engineers were leaving thumb drives around an organisation, giving them away for free – that bypasses a lot of procedures,” says Imation Asia-Pacific general manager Sven Radavics. He says China was implicated in an attack against the Indian Navy that used this approach. And he says those “walking around with some sort of authority are left untouched by employees except in the most rarified environments”, allowing them to steal data or plant malware.
Organisations may print data they sense is too valuable to be left online, but leave it labelled in unlocked cupboards for the attentive thief. Goudie says resellers should tell their customers to “automate processes to remove the human element”.
4. The company you keep
This year saw the “watering hole” attack, where criminals targeted websites allied to their ultimate target. The attacker scans the websites for vulnerabilities, redirecting victims to malicious sites. An SQL injection, for instance, takes advantage of website forms that don’t validate input and pass unauthorised code to a database. Or a website may invite uploads that run a program or install a shell the attacker uses to elevate access.
US Republican websites canvassing election donations were targeted by lookalike and possibly infected websites, redirecting funds into unauthorised accounts.
Verizon says the rise in “industrialised” crimes last year makes this more likely in future. And although partners were implicated in just 1 percent of attacks Verizon studied, that may be due to under-reporting.
Trend Micro engineer Vlado Vajdic says there are cases of supply chains being targeted – sometimes a bigger company is “owned” when it buys a smaller company. Make sure partners in the supply chain have the same security posture.
5. Bad guys are inside the firewall – and likely have been for a while
As trusted advisers, resellers have a unique role in helping customers swallow this sour truth, Verizon reporting that 85 percent of breaches took at least a few weeks to find, third parties finding them in 92 percent of total cases.
“Assume that the network is infected,” says Lastline’s Ben Teh. “It’s very difficult to get in to clean the system because rootkits infect the kernel.” RSA’s Farquhar urges organisations to “build defences around that assumption”.
To mitigate threats from the likes of drive-by attacks and roaming devices (especially in a BYOD environment with guest access), Teh advises scanning traffic to analyse code for dangerous behaviours.
Red flags the system is compromised: • domains failing to resolve; • connections that go to unusual destinations; • login failures on database servers;• programs running that ought not; • users or applications escalating their privileges;• unexpected secure web traffic (https).
A chained assault that started with a rogue email or IM session may communicate with a command-and-control server, trickling information out of the network, at unusual times or over secure web connections.
Compromised devices may be re-imaged or destroyed to curb the infection. Virtualised systems offer protection because they are viewed by an overarching framework (assuming the hypervisor is secure) and can trivially revert to a clean, earlier version.
Read on for how to learn the lingo, find and ditch the bad guy, keep an eye on the social, and the importance of knowing the three P's.
6. You have all you need to find the intruder and get rid of him
Australian Federal Police acting manager of cybercrime operations Brad Marden says “logs are the most critical” tool for remediation.
“Logs are crucial to recreating activity to system incident responders – even if they don’t report to police – if they just go to their anti-virus company or CERT Australia; it’s the most critical part of maintaining a security posture,” Marden says.
“They need to know how the hacker accessed their network and what information might have been removed in order to have a successful outcome in prosecution or identifying the harm.”
Logs were critical to helping NBN Co partner Platform Networks recover from David “Evil” Cecil’s attacks last year. Cecil, an unemployed truckie and self-taught hacker from Cowra, had earlier crashed Melbourne hosting provider DistributeIT in a devastating half-hour assault, costing it $4.5 million, the loss of 4000 websites on four unrecoverable servers and throwing its resellers into disarray when the company folded (the carcass was bought by Netregistry).
DistributeIT had inadequate systems to support investigation, but when Cecil soon after attacked Platform Networks, Marden says, a stronger defence informed by logs resulted in a 2½-year jail term for the assailant.
“Through cooperation with police there was little harm” to Platform Networks, Marden says. “If we have a good case, we have good prosecutional outcomes.”
It’s imperative action is taken as soon as a breach is suspected, he says. Resellers should work with their customers to preserve chain of evidence, isolating logs on a separate device and imaging affected systems. Investigators will often use the Encase software to preserve data from being contaminated or over-written and a good security incident and event monitoring solution prior to the attack is vital.
“Preserve (the data) by taking it offline or getting a mirror,” Marden advises. Sourcefire director Chris Wood says organisations need real-time intelligence before “it’s too late”. They need “a full picture of what’s running across their networks”.
7. Know your “3 Ps” – Patches, Privileges and Programs
The Defence Signals Directorate’s Top 35 Mitigation Strategies are the best starting point to limit an organisation’s risk. In 2010 DSD found 85 percent of intrusions could be prevented by employing its top recommendations:• patch applications and operating systems;• limit user privileges;• whitelist applications to prevent malicious apps from running.
“(It) can be achieved gradually, starting with computers used by the employees most likely to be targeted,” the DSD advises.
Trend Micro’s Oliver says users must be trained to accept critical security patches, even though it may slow their workday: “Especially Flash and Java because it’s on every device in the enterprise”.
Microsoft Office and PDF documents are also well targeted. And resellers should install software on their clients’ networks to monitor that the patches are installed and up to date, Oliver says.
8. Who you gonna call?
A cybercrime is a crime and should be reported to police, says AFP’s Marden. “We will take every report into consideration whether it’s to build up a bigger picture or to prosecute,” Marden says.
AFP officers speak at vendor and community security events and it’s worthwhile attending these to rub shoulders: “We try to get out to meet with people,” he says.
Verizon’s Goudie says relationships with police and security contractors must exist before you need them: “The last time you want to negotiate contracts with an organisation is when you’re” under attack, he says.
“Everyone knows to dial 000 when you need it, but very few people know who to call when negotiating a security event.” AFP Cybercrime Operations can be reached on firstname.lastname@example.org or tel: 1800 813 784.
9. Learn the lingo
“Veris” is emerging as a standard language for reporting incidents, defining “Who did what to what (or whom) and with what result”. The Vocabulary for Event Recording and Incident Sharing is a framework against which attacks are defined and shared and a basis for historical and trend analysis. It is becoming a standard way for expert witnesses to describe agents, actions, assets, and attributes of an attack.
10. Deal with the social
Intruders scan LinkedIn and social media profiles, and may escalate through individuals to get to their ultimate target. These recces may take up to a year or more of daily diligence to map out the target.
Hacking gangs are known to use management processes to break up tasks in a diligent and methodic way, sub-contracting to underground service providers with knowledge and skills.
“It’s a military-style attack,” says Websense A/NZ sales manager Gerry Tucker. Often the insertion point is an attractive lure, such as an email notification of an award, employment or promotion. More than four in five unsolicited emails have a web link to a compromised host, Tucker says.
“Even those who are paranoid get caught out because of how these emails” are written, he says. And it’s possible that mobile technologies, which encourage people to respond to such contacts on the go and at speed while their attention is diverted, may exacerbate the problem.
Tucker advises resellers to take a bite-sized approach to limit data leaks, using the 80-20 rule to focus on email, web traffic identification and especially unidentified increases in secure http traffic.
RSA’s Farquhar tells the story of a customer’s employee who got an email that he had won an award for five years’ service and should click a link to get his prize.
“It had all hallmarks of spearphishing, and he immediately disregarded it, but turns out it was legitimate,” Farquhar says.
The company had outsourced the awards to another organisation: “Companies need to understand not to muddy the (security) message”, he says.
Bitdefender used off-the-shelf security products and publicly available information to craft personalised emails to fool their recipients, says Bitdefender chief security researcher, Catalin Cosoi.
“Once you have those details you can easily create a targeted email that is very believable to the targeted people,” he says. And although the target company’s systems filtered out the threat, a recipient was so keen to switch roles he fished the offending email from the spam folder and unwittingly executed the exploit on his PC.
“Even though a company may take all defences possible, the weakest link is the employee.”
11. Don’t neglect anti-malware and DNS
With the emphasis on new-age attacks, it’s easy to forget that traditional approaches still have their place as part of a balanced security posture. For instance, Verizon found 69 percent of attacks last year used malware.
CSC’s Lawrence Ostle recommends Layer-2 and application whitelisting solutions to immunise against such malware while keeping an eye on how the layers within the network talk to each other to spot irregularities.
F5 Networks’ Adrian Noblett says attacks against applications are increasing in severity and frequency. “Hackers are sending valid application requests, they’re just sending more of them.”
This may be done to hide the objective of the attack or to bring down a server. In such cases, the subject has turned to a carrier clean feed, he says.
A stable, secure and responsive domain name server is critical to weather such assaults, he says.Watchguard’s Rob Collins advises “factors of two”, for instance, using overlapping anti-malware software because they vary in the ability to respond to threats.
“And secure your DNS channel – there’s no need to have port 53 (DNS requests) open and, if you do, only for certain servers,” Collins says.
12. Your customer’s PoS on the front line
Humble point-of-sale terminals such as cash registers, mobile payment-collection systems, automated tellers and swipers at fuel pumps are vulnerable to skimming exploits owing to being often unattended.
Organisations have payment card-industry requirements to monitor and guard these systems that they often underestimate or neglect to their detriment and that of their customers. That is especially true if, as a reseller, you’re providing PoS as a managed service to your customer.
Organisations should make tamper checks a part of each shift change, and quarantine suspected terminals for forensic investigation. Casual internet use by employees using these devices should be discouraged and they should not be connected to the net unless necessary. Organised crime is targeting payment card information from such systems and “can launch a sting against hundreds of victims during the same operation”, Verizon says.
Resellers and their customers should change default credentials and administrative passwords on PoS (and other internet-facing devices). A firewall or access-control list should also be applied to limit outside incursion. As a reseller, make sure the PoS is PCI DSS compliant.
Copyright © CRN Australia. All rights reserved.
Issue: 316 | July 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.